rlogin

用法概要

描述

The rlogin utility establishes a remote login session from your terminal to
the remote machine named hostname. The user can choose to kerberize the
rlogin session using Kerberos V5 and also protect the data being transferred.

Hostnames are listed in the hosts database, which can be contained in
the /etc/hosts file, the Network Information Service (NIS) hosts map, the Internet
domain name server, or a combination of these. Each host has one official
name (the first name in the database entry), and optionally one or
more nicknames. Either official hostnames or nicknames can be specified in hostname.

The user can opt for a secure rlogin session which uses Kerberos
V5 for authentication. Encryption of the session data is also possible. The
rlogin session can be kerberized using any of the following Kerberos specific
options: -A, -PN or -PO, -x, -f or -F, and -krealm.
Some of these options (-A, -x, -PN or -PO, and -f or
-F) can also be specified in the [appdefaults] section of krb5.conf(4). The
usage of these options and the expected behavior is discussed in the
OPTIONS section below. If Kerberos authentication is used, authorization to the account is
controlled through rules in krb5_auth_rules(5). If this authorization fails, fallback to normal
rlogin using rhosts occurs only if the -PO option is used explicitly
on the command line or is specified in krb5.conf(4). Also notice that
the -PN or -PO, -x, -f or -F, and -krealm options
are just supersets of the -A option.

The remote terminal type is the same as your local terminal type,
as given in your environment TERM variable. The terminal or window size
is also copied to the remote system if the server supports the
option. Changes in size are reflected as well. All echoing takes place
at the remote site, so that (except for delays) the remote login is
transparent. Flow control using Control-S and Control-Q and flushing of input and
output on interrupts are handled properly.

选项

The following options are supported:

-8

Passes eight-bit data across the net instead of seven-bit data.

-a

Forces the remote machine to ask for a password by sending a null local username.

-A

Explicitly enables Kerberos authentication and trusts the .k5login file for access-control. If the authorization check by in.rlogind(1M) on the server-side succeeds and if the .k5login file permits access, the user is allowed to login without supplying a password.

-ec

Specifies a different escape character, c, for the line used to disconnect from the remote host.

-E

Stops any character from being recognized as an escape character.

-f

Forwards a copy of the local credentials (Kerberos Ticket Granting Ticket) to the remote system. This is a non-forwardable ticket granting ticket. You must forward a ticket granting ticket if you need to authenticate yourself to other Kerberized network services on the remote host. An example is if your home directory on the remote host is NFS mounted via Kerberos V5. If your local credentials are not forwarded in this case, you can not access your home directory. This option is mutually exclusive with the -F option.

-F

Forwards a forwardable copy of the local credentials (Kerberos Ticket Granting Ticket) to the remote system. The -F option provides a superset of the functionality offered by the -f option. For example, with the -f option, after you connected to the remote host, any attempt to invoke /usr/bin/ftp, /usr/bin/telnet, /usr/bin/rlogin, or /usr/bin/rsh with the -f or -F options would fail. Thus, you would be unable to push your single network sign on trust beyond one system. This option is mutually exclusive with the -f option.

-krealm

Causes rlogin to obtain tickets for the remote host in realm instead of the remote host's realm as determined by krb5.conf(4).

-K

This option explicitly disables Kerberos authentication. It can be used to override the autologin variable in krb5.conf(4).

-lusername

Specifies a different username for the remote login. If you do not use this option, the remote username used is the same as your local username.

-L

Allows the rlogin session to be run in “litout” mode.

-PN

-PO

Explicitly requests the new (-PN) or old (-PO) version of the Kerberos `rcmd' protocol. The new protocol avoids many security problems prevalant in the old one and is considered much more secure, but is not interoperable with older (MIT/SEAM) servers. The new protocol is used by default, unless explicitly specified using these options or by using krb5.conf(4). If Kerberos authorization fails when using the old `rcmd' protocol, there is fallback to regular, non-kerberized rlogin. This is not the case when the new, more secure `rcmd' protocol is used.

-x

Turns on DES encryption for all data passed through the rlogin session. This reduces response time and increases CPU utilization.

Escape Sequences

Lines that you type which start with the tilde character (~) are
“escape sequences.” The escape character can be changed using the -e option.

~.

Disconnects from the remote host. This is not the same as a logout, because the local host breaks the connection with no warning to the remote end.

~susp

Suspends the login session, but only if you are using a shell with Job Control. susp is your “suspend” character, usually Control-Z. See tty(1).

~dsusp

Suspends the input half of the login, but output is still able to be seen (only if you are using a shell with Job Control). dsusp is your “deferred suspend” character, usually Control-Y. See tty(1).

操作数

hostname

The remote machine on which rlogin establishes the remote login session.

用法

For the kerberized rlogin session, each user can have a private authorization
list in a file, .k5login, in his home directory. Each line in
this file should contain a Kerberos principal name of the form principal/instance@realm. If
there is a ~/.k5login file, access is granted to the account if
and only if the originating user is authenticated to one of the
principals named in the ~/.k5login file. Otherwise, the originating user is granted
access to the account if and only if the authenticated principal name of
the user can be mapped to the local account name using the
authenticated-principal-name -> local-user-name mapping rules. The .k5login file (for access control) comes
into play only when Kerberos authentication is being done.

For the non-secure rlogin session, each remote machine can have a file
named /etc/hosts.equiv containing a list of trusted host names with which it
shares user names. Users with the same user name on both the
local and remote machine can rlogin from the machines listed in the remote
machine's /etc/hosts.equiv file without supplying a password. Individual users camayn set up
a similar private equivalence list with the file .rhosts in their home
directories. Each line in this file contains two names, that is, a host
name and a user name, separated by a space. An entry in
a remote user's .rhosts file permits the user named username who is
logged into hostname to log in to the remote machine as the
remote user without supplying a password. If the name of the local host
is not found in the /etc/hosts.equiv file on the remote machine, and
the local user name and host name are not found in the
remote user's .rhosts file, then the remote machine prompts for a password. Host
names listed in the /etc/hosts.equiv and .rhosts files must be the official
host names listed in the hosts database. Nicknames can not be used
in either of these files.

For security reasons, the .rhosts file must be owned by either the
remote user or by root.

文件

/etc/passwd

Contains information about users' accounts.

/usr/hosts/*

For hostname version of the command.

/etc/hosts.equiv

List of trusted hostnames with shared user names.

/etc/nologin

Message displayed to users attempting to login during machine shutdown.